Avoid potential NULL dereference when parsing a server keyshare extension.

It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.

Found by oss-fuzz (#20741 and #20745).

ok inoguchi@ tb@

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 3d1d1c8b7b4..f9077415147 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.60 2020/02/06 13:14:17 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.61 2020/02/16 16:36:40 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1349,6 +1349,9 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
 	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
 		return 0;
 
+	if (S3I(s)->hs_tls13.key_share == NULL)
+		return 0;
+
 	if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
 	    group, &key_exchange))
 		goto err;